TrickMo Banker Adopts TON

A new variant of the TrickMo Android banking trojan is targeting smartphone users across Europe with an unusual twist: it routes its command-and-control traffic through The Open Network, the blockchain platform originally developed by the team behind Telegram. Security researchers monitoring the campaign say the malware has expanded its capabilities with new operator commands and adopted decentralized infrastructure to make takedowns and detection markedly harder. TrickMo has been a fixture of the Android banking-malware landscape for years, known for overlay attacks that mimic legitimate banking apps to harvest login credentials, intercepted one-time passcodes, and on-device authentication prompts. The latest iteration continues that playbook but layers in a covert communications channel built on TON, allowing the attackers to fetch instructions and updated configurations from a blockchain-based backend rather than a conventional web server. Because blockchain endpoints are distributed and resistant to seizure, defenders cannot simply request a hosting provider to pull the plug, and traffic to TON nodes may blend into legitimate cryptocurrency activity on infected devices and networks. The new commands extend the operator's control over compromised handsets, broadening the range of fraud and surveillance actions that can be executed remotely once a victim is infected. The European focus of the current campaign suggests the operators are tailoring lures and overlays to specific banks and financial apps used in the region, a tactic that has historically driven high success rates for Android bankers. Customers of targeted institutions face the prospect of drained accounts, fraudulent transfers, and stolen identity data, while banks and mobile carriers must contend with a malware family that is increasingly difficult to disrupt at the infrastructure level. The adoption of blockchain-based C2 is also likely to influence other criminal developers watching for resilient hosting techniques. Android users should install apps only from the official Google Play Store, scrutinize requests for Accessibility Service permissions, and keep Play Protect enabled. Enterprises issuing mobile devices should consider mobile threat defense tooling capable of flagging overlay abuse and anomalous network traffic, and financial institutions should bolster transaction monitoring and step-up authentication to catch fraud originating from compromised handsets.